Using Microsoft Office 365 login service with AWS hosted applications

We’ve recently been working on a simple time management app that we host in AWS Elastic Beanstalk. We wanted to hand off responsibility for authenticated users to the Microsoft Office 365 single sign on service (www.microsoftonline.com) hosted on Azure– the user base for the application all have Microsoft Work accounts already set up. We were looking at something like:

To get this logical flow implemented we had to work through a few details. It didn’t help that most of these types of setups employ direct EC2 instances rather than Elastic Beanstalk. But this is (currently) just a simple app so we wanted to maintain the ease of deployment and maintenance that Elastic Beanstalk affords us. We thought it was worth blogging some of the detail:

First things first. The Single Sign On is a secure https call so we had to implement end to end https encryption across the entire solution. AWS’s recommended solution for this is to place a HTTPS/SSL load balancer in front of the web app instance.

Once we’d set this up, we encountered a problem where the load balancer would flag the EC2 instance as unhealthy, and refuse to serve the page. The load balancer polls to see if a 200 (OK) HTTP code is coming back from the app. This wasn’t happening because the authentication was performing a 302 redirect to the Azure microsoftonline service. To overcome this, we wrote a HTTP module to run as a service in the web application. This service checks the user agent supplied by requests to the site to see if they are coming from the load balancer and return a healthy HTTP code.

Et voila - we’ve got a healthy end to end solution for authenticating in Microsoft online with backend AWS hosted apps.